Jump to content

Maurice Naggar

Experts
  • Posts

    27,512
  • Joined

  • Days Won

    74

Everything posted by Maurice Naggar

  1. Hello @zapf If you have a file that you need analyzed, just upload it to Virustoal, where multiple scan engines from different security companies, can provide analysis. The link is this As to here, no I do not desire it. If you desire help for this pc, attach a copy of the msert log file & also state whether pc has Malwarebytes for Windows & name of the resident antivirus. Also state just what 'program' specifically 'flagged' the file.
  2. Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you
  3. Your system is good to go. The Malwarebytes scan was good. I had you run Adwcleaner + 3 separate virus scans, plus a custom script fix. You have installed the Malwarebytes Browser guards. We can proceed with cleanup of tools we used. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. You may delete msert.exe Delete esetonlinescanner.exe Any other download file I had you download, you may delete. I wish you all the best. Stay safe. Sincerely. Maurice
  4. Thank you. That was a very good run. Tell me, How is the system at this point? . We are done with Sophos VRT tool. Now to uninstall it. 1. Press & hold the Windows key on keyboard & then tap the R key to open the Run box-windoww. 2. Type appwiz.cpl and tap Enter. The Programs and Features window will appear. Locate on the list "Sophos Virus Removal". Do a right-click on it. Then choose Uninstall. Let it proceed. Exit Programs and Features.
  5. Thank you for that. I have one last custom fix script here. our Downloads folder is C:\Users\arthu\Downloads We will use FRSTENGLISH.exe to run a custom script. The system will be rebooted after the script has run. This custom script is for Ay000 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This scripts main goal is to remove one scheduled task that uses a odd & suspicious script & to remove a few suspicious zero-byte files. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your reply.
  6. NOTE: This thread/topic was ONLY for "iamscared". This section of the forum is strictly one to one. We do not do "me too" posts. We do not do "group" help.
  7. Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks
  8. Alright. We are done with Sophos VRT tool. Now to uninstall it. 1. Press & hold the Windows key on keyboard & then tap the R key to open the Run box-windoww. 2. Type appwiz.cpl and tap Enter. The Programs and Features window will appear. Locate on the list "Sophos Virus Removal". Do a right-click on it. Then choose Uninstall. Let it proceed. Exit Programs and Features. [ 2 ] Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard. See Support article how-to https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard For the Windows 10 EDGE browser, it can take the same one as for Chrome. Note: If your pc has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate). I would like to see that each web browser here on this pc to have the appropos Malwarebytes Browser Guard. [ 3 ] Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log.
  9. Please be sure to read this technical article on Malwabytes Blog about "ransom.crysis" https://blog.malwarebytes.com/detections/ransom-crysis/ As noted before, we cannot recover any of your encrypted files. We have no magical tool. Malwarebytes has no decrypter. You could recover your damaged files from a offline backup ( that you had made from before this ransomware incident). Offline backup is your friend. Do you have a old offline backup of your machine? Is Malwarebytes for Windows installed on this machine ? Please download, install, update and do a Threat Scan with Malwarebytes and post back the log
  10. Note: Some of the "ransom note" files can have names similar to README.txt HOW TO DECRYPT YOUR DATA.txt Readme to restore your files.txt Decryption instructions.txt FILES ENCRYPTED.txt Files encrypted!!.txt Look for similar names on Desktop & under Documents On first thoughts, this here seems to be a new variant of Cysis / Dharma ransomware
  11. Hi, @Sam_Mason Sorry to read this. Please know that Malwarebytes has no decrypter. Please look on your Documents folder & or Desktop for some file with named like "Readme" and attach a copy. Tell me, did this pc have installed before this happened, the Premium Malwarebytes for Windows ?
  12. When you get a chance, having a copy of the log from last scan would help me to help you. Upload C:\Windows\debug\msert.log > This is a different special tool to check your pc for viruses, trojans & other malware. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me know what Sophos reports.
  13. Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you
  14. That is a worthwhile run. ESET Online found and removed a handful of potentially unsafe applications. > This is a different special tool to check your pc for viruses, trojans & other malware. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me know what Sophos reports.
  15. That report result is good, thanks. 😀 I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Please make sure you attach the log report.
  16. Just some additional notes for information & guidance to relay to you. And I do not intend to distract you from running the MS Safety scanner. While this case is on-going, since I notice that Chrome is the default web browser, I would urge you stop using Chrome. Instead, just use the EDGE browser. and only for absolute needs. That is to say, lets not do any free-wheeling web surfing, and no online games. Only go to websites that are a must do. Otherwise, keep all web browsers closed. My view is that Chrome or some other web browser is involved in these "outbound" attempts to reach some site "ai.backend-chat.com" at IP 104.21.87.221 ( which appears to be on the blocklist). So one of the to do things, if the block notices re-appear, is to Close (exit) all web browsers. Then wait & notice whether the block notices cease. The other thing I notice is that your Chrome browser has a big list of websites that are allowed to auto-show notifications. That is something you need to really & truly review & reduce those to only what is absolutely a must. But again, stay out of Chrome as much as possible.
  17. Hello. It seems that you did not yet run the MS Safety Scanner. So the first thing to do now, is, to run the Microsoft Safety Scanner. Just like I listed before. Then afterwards, I will guide you forward with other steps.
  18. Good. You are doing well. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log.
  19. You did upload the Fixlog.txt and that is a good & useful thing. The custom script run is a good & worthwhile one. The Windows System File Checkere did find & correct some system files. The Windows DISM tool found no issues. The system should be in a better shape. As to uploading issue on this forum, sometimes when that happens, what helps is to exit out of the browser. Then restart it. . For Firefox browser, you should remove ( undo) the option setting to "restore prior session". Having a browser restore prior session can be problematic when you have a case of a problem. IE, when there is a problem, having last session restored can be a circular problem round. . Next actions: See this article on our Malwarebytes Blog https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". [ 2 ] Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard. See Support article how-to https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard Note: If your pc has Windows 10 EDGE browser, or Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate). For Firefox, there is a separate Browser Guard.
  20. @oceanjewel Hello My name is Maurice. Let me know what name you prefer to go by. I will guide you. I need a report set for review. This is a report only. Please download MBST Support Tool Once you start it click Advanced >>> then Gather Logs Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply , like displayed here. To send ( upload) attachments please click the "ADD Files" link . Then browse to where your file is located and select it and click the Open button. The set of data from the report will provide much needed information. Please always attach reports as we go along.
  21. Thank you for the Fixlog report. The run is good. I had not intended to imply it would run a long time. I only meant to be patient on the run. The Windows System File Checker ( SFC ) ran and that result is good. It checked the integrity of some Windows system files. That result is good. The temporary sub-folder where the suspect file had been located is removed. Just by the way, Windows 10 is more secure, but this hardware will not support it. Just also by the way, I do not personnaly recommend any "Iobit" app. Instead, I would only just use the Windows tools built in to do what is needed. For example, to uninstall the Adobe Flash: .Press & hold the Windows key on keyboard & then tap the R key to open the Run box-windoww. 2. Type appwiz.cpl and tap Enter. 3. The Programs and Features window will appear. Locate on the list "Adobe Flash Player 21 ActiveX ". Do a right-click on it. Then choose Uninstall. Let it proceed. Then look for "Adobe Flash Player 23 NPAPI ". Do a right-click on it. Then choose Uninstall. Let it proceed. When completed, Exit Programs and Feautures. . Now do a new scan with Malwarebytes for Windows. Advise me of the result. Locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
  22. One file was tagged as a worm & removed E:\Google Drive\Private\Microsoft Toolkit 2.5.3\Microsoft Toolkit.exe The other item was one registry setting that had Defender's anti-spyware ability off. That is a standard setting when the machine has a third-party antivirus. That is not considered a actual "infection". By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner, I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html Also, the post by EricYin of Microsoft ( just below that section) In actuality here, from this last scan, there was only 1 file that counted as a malware. Now then..... I suggest you proceed with the custom Fix script I had posted before https://forums.malwarebytes.com/topic/278698-may-be-infected/?do=findComment&comment=1479654
  23. Hi, thanks very much for the report file. That is a tremendous help. It is not possible to know how this machine got infected. There just is not a unified global log on the machine that would have the answer. But one can point to the most typical ways. Maybe someone attached a infected USB-thumb-flash drive. There are always the other typical ways: Being too quick on the Click-finger & downloading some free thing. or a drive-by intrusion when using a web browser thru a infected or compromised website. Or, downloading a hack tool to get around paying for a software app. Opening attachments from a Email ( without first scanning it with antivirus) is often a avenue for infection. Below I list a couple of articles on the subject. How Did My Protected PC Get Infected? https://www.pcworld.com/article/202771/protected_but_infected.html How did I get infected https://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/ You report this machine is a second-hand machine. Did someone erase the hard drive & then do a clean new install of Windows 7? Most pc's have a method from the computer manufacturer ( on a hidden partition) to do a "factory restore" operation to reset the system to the way it came out Day 1 at the factory. . Be aware this machine has 2 Adobe Flash player apps that are way way obsolete, plus Adobe no longer supports them. You need to Uninstall both Adobe Flash Player 21 ActiveX Adobe Flash Player 23 NPAPI . Obsolete apps are one thing that malware exploits. . Please also be very conscious that Windows 7 is very much unsupported by Microsoft. It has not been getting security updates. This operating system is at risk of future infections due to the Operating System being unsupported. Windows 11 & the upcoming Windows 12 operating systems are much more secure. . Here below is a custom run intended to do some cleanups. Please take time to read carefully & apply all directions below. If you have a question, stop and ask me first. Your Downloads folder is C:\Users\Oma\Downloads We will use FRSTENGLISH.exe to run a custom script. The system will be rebooted after the script has run. This custom script is for UhhConfused only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will rebuild the Winsock. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the C:\Users\Oma\Downloads folder Fixlist.txt Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity
  24. Get your rest. As I said before, Malwarebytes has no decrypter. We are unable to help you about your encrypted user files.
  25. For the first-orignal machine: Once the Safety Scanner has finished, attach & send the log so I can review. And then after that is all done, then I have a custom script for this machine here. Here below is a custom run intended to do some cleanups. Please take time to read carefully & apply all directions below. If you have a question, stop and ask me first. [ 1 ] As a next basic step, Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] Your Downloads folder is C:\Users\TheNa\Downloads We will use FRST64.exe to run a custom script. The system will be rebooted after the script has run. This custom script is for TOMA776 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will rebuild the Winsock. It will run the Windows DISM tool to check the system. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.